Email interception fraud is on the rise and takes the form of criminals stealing information such as email usernames and passwords.
It enables the fraudster to gain access to your business email accounts allowing them to impersonate you and the business. It provides them with access to private information such as banking details and account information, meaning that they can intercept payments, change banking details or request information with access to your legitimate mailbox that looks and sounds exactly like you.
“Email interception fraud allows the threat activator behind the spoof to intercept emails that contain private information such as invoices and banking details,” explains Jenny Jooste, client manager for cyber and professional indemnity technology at Aon South Africa. “Once the hackers are in your IT environment, they can conduct fraudulent activities such as sending fake invoices, requesting updates to bank account details, or intercepting and altering inbound payment details and redirecting payments into fraudulent accounts by sending emails that look exactly like the ones you or your business may have been dealing with.”
There are many tactics that cybercriminals can employ to gain access to your e-mail account. Aon provides a few examples:
* Phishing emails: Fraudsters use spoofed emails that appear to be from a legitimate source such as a bank to collect your personal information or they can use deceptive links that lead to malicious websites that mimic legitimate ones. They can also manipulate email headers to make it appear as though the email is from a trusted sender and can use email display names that look like the original even if the actual email address is not.
* Man-in-the-Middle (MitM) attacks: Fraudsters may intercept and monitor communication between two parties and can occur on public Wi-Fi networks or compromised routers, allowing the capture of sensitive information.
* Keyloggers and malware: Malicious attachments in emails can contain malware, including keyloggers, which record keystrokes and can capture sensitive information such as usernames and passwords.
* Social Engineering: Attackers may impersonate someone you know, like a colleague or friend, and request sensitive information via email. They can also create a fabricated scenario to trick you into divulging sensitive information.
* Business Email Compromise: Fraudsters may impersonate high-ranking executives within an organisation to trick employees into transferring funds or providing sensitive information.
Fostering a cyber-secure culture by training staff via simulated phishing emails and WhatsApp on an ongoing and regular basis is your very first line of defence. Should staff click on links in these simulation exercises implement training to remind them of the need to be cautious and the impact on the business and job security in the event of a cyber vector accessing their IT architecture.
“Phishing remains one of the leading causes of unauthorised access to a personal or business email account. It is crucial for you to not only spot a phishing email but to report the email to your cyber security team,” says Jooste.
Is email fraud an insurable risk?
Cyber risk is complex as it affects so many facets of our daily personal and business lives. As a result, there are different types of insurance covers available in the market, that cover different risks and trigger events. Aon unpacks the different types of insurance covers and how they would respond to an email interception fraud claim:
* Cyber risk policy: A cyber risk policy is aimed at covering data and connectivity costs related to a cyber breach. The policy would respond to incident response costs which include forensic investigation that is aimed at finding the source of the breach as well as the subsequent liability from information being lost. A cyber risk policy will respond should there be a section for theft of funds noted below.
* Theft of funds is an extension on a cyber policy: Email interception fraud is covered under this extension. For the policy to trigger, the insured has to incur a physical loss of funds from a business bank account due to email interception fraud – some policies will consider the loss in respect of where the interception took place – on your IT systems or that of a third-party client/vendor. A theft of funds extension is normally sub-limited in respect of the overall annual policy limit of indemnity and the insurers would want to know what procedures and controls a company has in place in terms of requests to change banking details and their verification processes- very much in line with what would be required for a commercial crime policy.
* Commercial crime policy: A standalone commercial crime policy will protect against direct financial loss because of theft and fraud. It provides cover for employee dishonesty, computer fraud, extortion as well as fraudulent transfer instructions. A commercial crime policy would respond to email interception fraud within the agreed limits stipulated in the policy if a social engineering fraud extension has been provided – again this will be sub limited.
* Professional indemnity policy – responds to the vicarious liability of staff for a company in respect of their legal liability in the event of an error, negligence or omission. Some insurance carriers would respond to an email type intercepted fraud claim as noted above. In some instances, this can be obtained, this needs to be discussed with your broker to ensure the insurer has the cover included. Silent cyber conditions have been added to most Professional indemnity policies – thus this cover needs to be negotiated with additional underwriting info.
* Directors and Officers – responds to the fiduciary duties of directors and officers in their personal capacity. The policy holder is the company – the policy is purchased for and on behalf of directors and officers that have the ability to bind a company legally. The cover responds to allegations where for example there is an email interception and funds are stolen/ deposited into the incorrect bank account. A claim could be made against the directors and officers alleging due care and diligence was not implemented in terms of internal processes to avoid such a situation. The defence could be that there is a commercial crime policy with a social engineering fraud extension to respond to such claims; Secondly, there are processes and controls in place to alert all staff to implement a verification process before changing banking details ; and lastly, corporate governance audits to ensure accountability of internal controls and decision-making processes.